The information in this document is based on the Cisco 4200 Series
IDS/IPS Device which runs software version 5.0 and later.

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Event action filters are processed as an ordered list and you can move
filters up or down in the list.

Filters let the sensor perform certain actions in response to the event
without requiring the sensor to perform all actions or remove the entire event.
Filters work by the removal of actions from an event. A filter that removes all
actions from an event effectively consumes the event.

Note: When you filter sweep signatures, Cisco recommends that you do not
filter the destination addresses. If there are multiple destination addresses,
only the last address is used to match the filter.

You can configure event action filters to remove specific actions from
an event or to discard an entire event and prevent further processing by the
sensor. You can use event action variables that you defined to group addresses
for your filters. For the procedure on how to configure event action variables,
see the Adding, Editing, and Deleting Event Action
Variables section.

Note: You must preface the variable with a dollar sign ($) in order to
indicate that you use a variable rather than a string. Otherwise, you receive
the Bad source and destination error.

A default name is supplied, but you can change it to a more
meaningful name.

In the Active field, click the Yes radio button in
order to add this filter to the list so that it takes effect on filtering
events.

In the Enabled field, click the Yes radio button in
order to enable the filter.

Note: You must also check the Use Event Action Filters
check box on the Event Action Filters tab or none of the event action filters
become enabled regardless of whether you check the Yes check
box in the Add Event Action Filter dialog box.

In the Signature ID field, enter the signature IDs of all signatures
to which this filter should be applied.

You can use a list, for example, 1000, 1005, or a range, for example,
1000-1005 or one of the SIG variables if you defined them on
the Event Variables tab. Preface the variable with $.

In the SubSignature ID field, enter the subsignature IDs of the
subsignatures to which this filter should be applied. For example,
1-5.

In the Attacker Address field, enter the IP address of the source
host.

You can use one of the variables if you defined them on the Event
Variables tab. Preface the variable with $. You can also enter a range of
addresses, for example, 10.89.10.10-10.89.10.23. Default is
0.0.0.0-255.255.255.255.

In the Attacker Port field, enter the port number used by the
attacker in order to send the offending packet.

In the Victim Address field, enter the IP address of the recipient
host.

You can use one of the variables if you defined them on the Event
Variables tab. Preface the variable with $. You can also enter a range of
addresses, for example, 192.56.10.1-192.56.10.255. Default is
0.0.0.0-255.255.255.255.

In the Victim Port field, enter the port number used by the victim
host in order to receive the offending packet. For example,
0-434.

In the Risk Rating field, enter an RR range for this filter. For
example, 85-100.

If the RR for an event falls within the range you specify, the event
is processed against the criteria of this filter.

From the Actions to Subtract drop-down list, choose the actions you
want this filter to remove from the event. For example, choose Reset
TCP connection.

Tip: Hold down the Ctrl key in order to choose more
than one event action in the list.

In the OS Relevance drop-down list, choose whether you want to know
if the alert is relevant to the OS that has been identified for the victim. For
example, choose Relevant.

In the Deny Percentage field, enter the percentage of packets in
order to deny for deny attacker features. For instance,
90.

The default is 100 percent.

In the Stop on Match field, choose one of these radio buttons:

Yes—If you want the Event Action Filters component
to stop processing after the actions of this particular filter are
removed

Any filters that remain are not processed; therefore, no additional
actions can be removed from the event.

No—If you want to continue to process additional
filters

In the Comments field, enter any comments that you want to store with
this filter, such as the purpose of this filter or why you have configured this
filter in a particular way. For example, NEW FILTER.

Tip: Click Cancel in order to undo your changes and
close the Add Event Action Filter dialog box.

Click OK.

The new event action filter now appears in the list on the Event
Action Filters tab as shown.

Check the Use Event Action Overrides check box as
shown.

Note: You must check the Use Event Action Overrides
check box on the Event Action Overrides tab or none of the event action
overrides become enabled regardless of the value you set in the Add Event
Action Filter dialog box.

Choose an existing event action filter in the list in order to edit
it, and then click Edit.

The Edit Event Action Filter dialog box
appears.

Change any values in the fields that you need to alter.

See steps 4 through 18 for information on how to complete the
fields.

Tip: Click Cancel in order to undo your changes and
close the Edit Event Action Filter dialog box.

Click OK.

The edited event action filter now appears in the list on the Event
Action Filters tab.

Check the Use Event Action Overrides check
box.

Note: You must check the Use Event Action Overrides
check box on the Event Action Overrides tab or none of the event action
overrides are enabled regardless of the value you set in the Edit Event Action
Filter dialog box.

Choose an event action filter in the list in order to delete it, and
then click Delete.

The event action filter no longer appears in the list on the Event
Action Filters tab.

Filter up or down in the list in order to move an event action,
choose it, and then click Move Up or Move
Down.

Tip: Click Reset in order to remove your
changes.

Click Apply in order to apply your changes and save
the revised configuration.